Precision Care’s HIPAA Privacy Officer: Theresa O’Doherty
Contact: Theresa.ODoherty@PrecisionCareSolutions.com
Precision Care will execute a Business Associate Agreement with all clients that are HIPAA Covered Entities.
1.1 Designation of Privacy Official
Policy
Each organization governed by HIPAA must designate a privacy official, in charge of developing and implementing Privacy Rule policies and procedures. Precision Care’s policy is to fulfill this obligation by appointing a security official with the title “Privacy Officer.” The Privacy Officer will take primary responsibility for Precision Care’s compliance with federal and state privacy standards.
Procedure
Precision Care shall ensure that it has a Privacy Officer at all times. Precision Care shall appoint a Privacy Officer by vote of the Board of Directors (or other governing body, if there is no Board of Directors).
The Privacy Officer is responsible for:
-
Establishing Precision Care’s data privacy program and overseeing its implementation
-
Ensuring compliance with federal and state data privacy regulations and standards
-
Developing policies and procedures as provided in Section 1.8
-
Developing and conducting training programs on privacy policies and procedures for Precision Care’s staff members[1]
-
Responding to questions from staff and patients concerning privacy policies and procedures
-
Receiving complaints concerning the privacy practices described in the Notice of Privacy Practices as described in Section 1.17
-
Periodically auditing compliance with privacy policies and procedures
-
Reviewing annually compliance with privacy requirements, policies, and standards
-
Investigating and correcting violations of privacy policies and procedures
[1] For the purposes of these policies and procedures, the terms “employees,” “staff,” “staff members,” and “workforce” may be used interchangeably to refer to Precision Care employees and non-employee members of Precision Care’s workforce, except if otherwise noted.
The Privacy Officer may assign any of these responsibilities to other staff members or contractors but continues to be responsible for making sure these responsibilities are carried out.
1.2 General Staff Responsibilities
Policy
It is Precision Care’s policy to create assurances that all staff and associates act in an appropriate and compliant manner to protect patient information under the HIPAA privacy regulations.
Procedure
All staff members are responsible for safeguarding the privacy of patient health information.
All staff members must:
-
Use and disclose protected health information (“PHI”) only as authorized in their job description or as authorized by a supervisor
-
Conduct oral discussions of PHI with other staff or with patients and family members in a manner that limits the possibility of inadvertent disclosures
-
Complete privacy training (see Section 1.3)
-
Report suspected violations of a business associate’s contractual obligations to safeguard PHI (see Section 1.7)
-
Report suspected violations of the policies and procedures established in this manual by staff members (see Section 1.4)
Precision Care will provide written job descriptions to all staff members who require routine access to PHI to perform their job-related duties. Job descriptions will identify:
-
The job functions that require the use or disclosure of PHI
-
The classes of PHI the position will use or disclose
-
Any restrictions on the PHI the position can use or disclose
-
The procedures that must be followed to use or disclose PHI not routinely available to the position
Precision Care may satisfy these job description requirements by defining standard job classes (under Section 1.12) that include definitions of the positions authorized to routinely use or disclose standard categories of PHI.
1.3 Training and Education
Policy
All staff must be trained to understand and comply with the HIPAA privacy regulations and Precision Care’s privacy policies and practices. Precision Care will communicate any revisions in the regulations, policies, or practices will be communicated to all staff via refresher training.
Procedure
The Privacy Officer (or a designee) will develop a privacy policy orientation and training program.
This purpose of this program is to make sure that all staff members are familiar with and understand the privacy policies and procedures that Precision Care adopts.
The training and orientation program will cover:
-
The definition and identification of PHI
-
How to provide the Notice of Privacy Practices to all patients and obtain a written acknowledgment of receipt
-
Rules regarding the use and disclosure of PHI for treatment, payment, and health care operations
-
How to obtain authorization, when required, for use and disclosure of PHI
-
Procedures for handling suspected violations of privacy policies and procedures
-
Penalties for violations of privacy policies and procedures
-
Documentation required by the policies and procedures manual
Staff members will:
-
Receive a written summary of Precision Care’s privacy policies and procedures
-
Have an opportunity to review the full policies and procedures manual
-
Have an opportunity to ask questions about Precision Care’s privacy policies and procedures
All staff members, including management and professional staff, are required to complete the training in privacy policies and procedures before they can use Precision Care’s information systems or are permitted to access PHI. New staff members receive security training as part of their orientation.
The Privacy Officer (or a designee) shall document the completion of the privacy policy orientation and training program in the employee’s personnel file.
If privacy policies are revised, or if there is a change in regulations requiring additional training, the Privacy Officer (or a designee) will develop training materials on new or revised privacy policies and procedures.
Staff whose job responsibilities are affected by a change in privacy policies and procedures must complete training on the revised policies and procedures within one month of their effective date.
Completion of training on revised policies and procedures will be documented in the employee’s personnel file.
1.4 Reporting of Suspected Violations of Privacy Policies and Procedures
Policy
Staff members are responsible for reporting any suspected violations of privacy policies or procedures.
Procedure
All staff members must report possible violations of privacy policies and procedures to their supervisor. If the supervisor determines that a violation occurred or that the situation warrants further investigation, the possible violation must be reported to the Privacy Officer.
Under the following circumstances, a staff member should not report potential violations to his or her supervisor and/or the Privacy Officer:
-
Violations involving the staff member’s supervisor should be reported directly to the Privacy Officer.
-
Violations involving the Privacy Officer should be reported to the Board of Directors (or, if no Board exists, to a Member of the company).
Staff members always have the right to contact the Department of Health and Human Services Office for Civil Rights directly as well, at OCRcomplaint@HHS.gov.
Reportable offenses include use and disclosure of PHI that may violate:
-
The practices described in the Notice of Privacy Practices form
-
A patient’s authorization
-
These privacy policies and procedures
-
Any other aspect of the HIPAA Privacy Rule
The staff member reporting a violation should briefly describe the possible violation in writing or should arrange a meeting with the supervisor/Privacy Officer/Director/Member to discuss the possible violation.
1.5 Investigation of Potential Privacy Violations by Staff Members
Policy
Precision Care takes very seriously the harm that privacy policy violations may cause. The Privacy Officer (or a designee) will investigate all potential privacy violations.
Procedure
Upon being notified of a potential violation of privacy policies and procedures by a staff member or patient (under section 1.26), the Privacy Officer will:
-
Review all documentation
-
Meet with the staff member(s) or patient who reported the possible violation
-
Meet with the staff member(s) who may have violated the policies and procedures
-
Determine what, if any, PHI was used or disclosed
-
Determine whether the use or disclosure violated policies and procedures or any other aspect of the HIPAA Privacy Rule or state data privacy laws
-
Determine whether the violation was accidental or intentional
-
Recommend to the staff member’s supervisor the disciplinary action, if any, that should be taken
-
Document the findings of the investigation and action taken
1.6 Sanctions and Penalties Policy
Policy
Precision Care will not tolerate violations of these privacy practices and procedures. Following a full investigation, Precision Care will take appropriate measures, including sanctions that may include termination, against employees who have been found to have violated Precision Care’s privacy policies.
Procedure
There are two types of violations of privacy policies and procedures:
-
Technical violations that do not result in the use or disclosure of PHI
-
Violations that do involve the use or disclosure of PHI
There also are two types of violations that involve use and disclosure:
-
Unintentional or accidental uses or disclosures
-
Intentional and deliberate uses and disclosures
Incidental disclosures of information, such as disclosures that occur when a patient asks a question in a public area, do not need to be reported, documented, or investigated. No sanction will be imposed for incidental disclosures of information. Staff members should, nevertheless, make reasonable efforts to minimize incidental disclosures.
The severity of penalties varies with the type of violation. The most severe penalties apply to the intentional disclosure of PHI in violation of policies and procedures. The least severe penalties apply to unintentional technical violations of policies that do not result in the disclosure of PHI.
Examples of violations include:
-
Technical violations – When obtaining an authorization, a staff member fails to notice that the patient signed but did not date the authorization form.
-
Accidental disclosure – Information on the wrong patient is accidentally sent to a third-party payer.
-
Intentional disclosure – A staff member provides a drug company representative a list of patients with an identified medical condition without obtaining each patients’ authorization for this disclosure.
The procedures and penalties that apply to each of these types of violation are defined in sections 1.6.1 – 1.6.3 below.
The Privacy Officer shall establish and maintain files that document all actions taken to impose sanctions under section 1.6.
This information shall include:
-
A description of, and documenting evidence for, the violation
-
A statement clarifying the nature of the violation, specifically indicating whether it was technical or involved the use or disclosure of PHI, and whether the violation of policies was accidental or intentional
-
A description of the sanction that was imposed
An unproven or unsubstantiated allegation of a violation of privacy policies and practices does not have to be documented.
1.6.1 Sanctions and Penalties for Technical Violations Not Involving Use or Disclosure
A staff member who commits a technical violation of privacy policies and procedures that does not result in any use or disclosure of PHI must:
-
Meet with his or her supervisor to review the policies and procedures that were violated
-
Demonstrate to the satisfaction of the supervisor that he or she understands the policies and procedures that should be followed in similar circumstances
The violation will be documented in the staff member’s personnel file. A pattern of repeated technical violations, even if none result in the inappropriate use or disclosure of PHI, may result in transfer to another position, suspension, or termination of the staff member.
1.6.2 Sanctions and Penalties for Unintentional Violations Involving Use and Disclosure
A staff member who unintentionally uses or discloses PHI in violation of the privacy policies and procedures must:
-
Meet with his or her supervisor to review the use or disclosure of PHI that violated the medical practice’s policies and procedures or the staff member’s authority to use or disclose information
-
Demonstrate to the satisfaction of the supervisor that he or she understands the uses and disclosures that he or she is authorized to make under the practice’s policies and procedures
The violation will be documented in the staff member’s personnel file. A pattern of repeated unauthorized use or disclosure of PHI will result in transfer to another position, suspension, or termination of the staff member.
1.6.3 Sanctions and Penalties for Intentional Violations Involving Use and Disclosure
The intentional violation of privacy policies and procedures may result in immediate suspension, pending further investigation, and termination. Documentation of the investigation of the violation must show clear evidence that the disclosure of information was intentional, and deliberate. The documentation may satisfy this requirement by explaining why the staff member must have had knowledge that the disclosure violated the policies and procedures of the practice.
For the purposes of this section, “knowledge” includes both actual knowledge and “constructive knowledge” – that is, what the staff member would have known if the staff member had made a reasonable inquiry or investigation.
If the staff member has previously disclosed the same or similar type of information under the same or similar circumstances, it will be presumed that the disclosure was intentional and deliberate.
1.7 Business Associates
Policy
Precision Care protects the confidentiality and integrity of health information of its patients. This policy defines the guidelines and procedures that must be followed in connection with all business associates who come into contact with PHI.
Definition: A business associate is any person or organization, not a Precision Care employee but including independent contractor staff, that performs or helps perform any function or activity that involves the transmission, use, creation, or disclosure of PHI. Business associates do not include third-party health care providers who receive, use, or transmit PHI from or to Precision Care for the purpose of providing treatment to a patient.
In short, any person (other than a Precision Care employee, and other than health care providers in a treatment context) or organization that, in the course of providing services to Precision Care, receives PHI from Precision Care, transmits PHI to Precision Care, creates PHI for Precision Care, or uses PHI received from Precision Care is a business associate.
PHI may be disclosed to a business associate only if Precision Care receives satisfactory assurances that the business associate will safeguard the privacy of the PHI that it creates or receives. One element of such satisfactory assurances is a business associate agreement (see Section 1.7.1).
1.7.1 Business Associate Agreements
A sample business associate agreement can be found in appendix A in the back of this manual.
Procedure
Precision Care must enter into a written agreement with each business associate. This contract or agreement must include (without limitation) provisions that:
-
Identify the uses and disclosures of PHI permitted under the contract
-
Permit the business associate to use or disclose the information only as permitted under the privacy standards
-
Restrict use and disclosure of the PHI the business associate creates or receives to those that are specified in the contract
-
Call on the business associate to fully comply with the provisions of the HIPAA privacy and security regulations, not limited by specific references in the contract with Precision Care
-
Provide for reporting to Precision Care any use or disclosure of PHI not provided for under the business associate’s contract
-
Require the business associate to apply the same restrictions and conditions on use and disclosure of PHI to the agents and subcontractors to whom it forwards the PHI
-
Make PHI available to patients as provided under Section 1.23
-
Amend any PHI that it receives when asked to do so by Precision Care
-
Make available to Precision Care the information it needs to account for uses and disclosures of PHI as provided under Section 1.25
-
Make internal practices, books, and records related to the use and disclosure of PHI available to HHS for the purposes of determining compliance with the privacy standards
-
Return, if feasible, all PHI to Precision Care upon termination of the contract, and destroy any copies of such information. When return and/or destruction of PHI is not feasible, the business associate will extend contractual protections to the use and disclosure of the information for the purposes that make its return or destruction not feasible.
-
Notify Precision Care in the event of an unauthorized disclosure of unsecured PHI
-
Provide for termination of the services agreement if the business associate violates these contractual provisions
-
Comply with the privacy rule to the extent the business associate is carrying out the organization’s obligations under the privacy rule
-
Require the business associate to enter into business associate agreements with their subcontractors that impose the same obligations as those that apply to the business associates themselves
1.7.2 Duty of Staff to Report Contractual Breaches by Business Associates
Procedure
If a staff member becomes aware of activities or practices by the business associate that violate the medical practice’s contractual obligations, the activities or practices must be reported to the Privacy Officer.
1.7.3 Investigation and Correction of Contractual Breaches
Procedure
When the Privacy Officer is notified that a business associate has violated a contractual provision related to the privacy of PHI, the Privacy Officer will carry out the following procedures to try to correct the violation:
-
The Privacy Officer will contact the business associate, obtain and review all relevant documents and information, and determine whether a contractual provision has been violated.
-
If a contract provision has been violated, the Privacy Officer will identify steps to be taken by the business associate that will enable it to comply with its contractual obligations.
-
The Privacy Officer will review the corrective action steps with the business associate and determine whether those steps or other measures suggested by the business associate will correct the violation. If an agreement can be reached, the corrective measures will be summarized in writing and sent to the business associate.
-
The Privacy Officer will monitor the implementation of the corrective action measures by periodically contacting the business associate. The Privacy Officer may discontinue monitoring the contract after receiving adequate assurances that the corrective measures have been implemented and that the contract provisions will be complied with in the future.
-
If it is not possible to develop an acceptable corrective action plan, or if the business associate fails or refuses to comply with the corrective action plan, then the Privacy Officer must implement the procedures established in Section 1.7.4 to terminate the contract.
If the violation resulted in the unauthorized use or disclosure of PHI, or any other HIPAA breach, then – regardless of whether the violation may be corrected – the Privacy Officer will cause Precision Care to take the steps described in the Breach Incident Management Policies and Procedures.
1.7.4 Reporting of Contractual Breaches by Business Associates
Procedure
When the Privacy Officer is not able correct violations by a business associate of the business associate agreement, the Privacy Officer will implement the following procedure.
-
Identify an alternative source for the services provided by the business associate.
-
Refer the matter to the Precision Care’s legal counsel with a request that formal action be taken to terminate the contract.
-
Have Precision Care’s legal counsel notify the business associate that action will be taken to terminate the contract if the violation of contract provisions is not immediately corrected.
-
Monitor the status of the contract and arrange for replacing the business associate when the contract is formally terminated.
-
Report the violation to the Department of Health & Human Services, if required by federal regulations.
1.8 Development and Maintenance of Privacy Policies and Procedures
Policy
Precision Care is responsible for developing and maintaining written privacy policies and procedures pursuant to the HIPAA privacy standards.
Procedure
The Privacy Officer will develop policies and procedures that are reasonably designed to ensure compliance with federal and state standards for the protection of the privacy of health information. The Privacy Officer may delegate this responsibility to a staff member, but such delegation must be reflected in that staff member’s job description, and the Privacy Officer will supervise the development of all privacy policies and procedures.
The Privacy Officer must:
-
Monitor changes in federal and state law and regulations that may require changes in privacy policies and procedures.
-
Notify the Board of Directors (or other governing body, if there is no Board of Directors) of the issuance of new or revised federal or state requirements and describe the need to modify policies and procedures, including the date by which revised policies and procedures must be implemented.
-
Take the initiative to develop new or revised policies and procedures as necessary to meet the requirements of new laws and regulations.
-
Identify any revisions needed in the privacy orientation and training program to reflect revised policies and procedures.
Before a revised policy or procedure is submitted for approval, the Privacy Officer will review the Notice of Privacy Practices form (see Section 1.17) and determine whether the notice must be revised to reflect the new privacy policies or procedures.
The effective date of a revised policy or procedure must not be earlier than the date on which the revised Notice of Privacy Practices is posted and made available to patients.
All policies and procedures must be approved by the Board of Directors (or other governing body, if there is no Board of Directors) of Precision Care before being implemented.
Precision Care will communicate new or revised policies and procedures to staff as follows:
-
An all-staff memorandum from the Privacy Officer will announce the adoption of the new or revised policies and indicate affected staff functions. This memorandum should describe the new policy, indicate its effective date, and indicate the date on which the new policy will be available for staff review.
-
The Privacy Officer will announce the adoption of the new policies at appropriate staff meetings and provide appropriate training.
-
A memorandum from the Privacy Officer to those staff members whose job responsibilities are directly affected by the new policies should indicate whether training or orientation meetings or programs will be held and whether background information on the new policies is available. A copy of the revised policy may be attached to the memorandum; if not, then staff will be directed to consult the updated policy and procedure manual.
-
Copies of the revised policy will be distributed to staff members for updating their copies of the policy manual.
1.9 Documentation and Record Keeping
Policy
Precision Care will establish and maintain appropriate systems for maintaining documentation related to the HIPAA privacy regulations. This documentation will be retained for the appropriate timeframes based on the regulations.
Procedure
The Privacy Officer will establish and oversee record-keeping systems to maintain the documentation required by the HIPAA privacy regulations as discussed in various policies throughout this manual.
The information to be maintained in written documentation includes, but is not limited to:
-
The policies and procedures contained in this policy manual
-
The Notice of Privacy Practices
-
The signed acknowledgments of receipt of the Notice of Privacy Practices
-
Signed authorization forms
-
Records of disciplinary actions taken against staff members for violations of privacy policies and procedures
-
Records of actions taken to enforce compliance with contract provisions by business associates
-
Complaint forms received from patients or other individuals and associated written correspondence
-
All requests for an accounting of disclosure of PHI and records related to such requests
-
All requests for amendment of PHI and records related to the disposition of such requests
1.9.1 Retention of Records
Procedure
All documentation of actions called for by other policies and procedures contained in this manual will be retained for a minimum of six years from the date the information was created.
This manual of policies and procedures (and any revisions) will also be retained for a minimum of six years. The six-year retention period of this manual will be measured from the date of the most recent revision of the policy. In other words, when new policies are issued, a copy of the policies that are superseded should be retained for reference purposes for six years following the last day the policy was in effect.
1.10 Use and Disclosure of PHI for Treatment Purposes
Policy
Precision Care uses PHI in the course of providing treatment to patients. Precision Care shall do so pursuant to its Notice of Privacy Practices and the HIPAA Privacy Rule. The use and disclosure of information for the purpose of treatment does not require specific authorization (see Section 1.18).
Procedure
The use of information for treatment purposes is described in the Notice of Privacy Practices. Before nonemergency treatment is initiated, Precision Care must obtain the patient’s written acknowledgment of having received the Notice of Privacy Practices, as described in Section 1.17.2.
1.10.1 Sharing of PHI for Treatment Purposes
When a provider who is not a member of the practice contacts a staff member and requests information for the purpose of treating a patient previously treated at Precision Care, the staff member may provide information without restriction. It is not necessary for the patient to authorize the disclosure of PHI that will be used for the purpose of treatment.
When disclosing information to another provider for purposes of payment, staff members should use the following procedure.
-
A patient may have requested and been granted restrictions on the use or disclosure of PHI. Staff members should review the patient’s records to determine if any restrictions have been placed on the use or disclosure of PHI.
-
Before disclosing information for treatment purposes, staff members must verify the identity of the person making the request. In other words, the staff member must determine that the person making the request is, in fact, a health care professional who is requesting the information for the purpose of treatment of the relevant patient. If the professional is known to the practice, is a member of a group that is known to a staff member, or is affiliated with a facility that is known to the practice, a staff member may presume that the provider is who he or she claims to be. Otherwise, a staff member must obtain additional assurances sufficient to satisfy his or her professional judgment that the person requesting the information is a health care provider who will use the information for purposes of treatment of the relevant patient.
-
PHI should be sent only to the verified business address of the provider requesting it.
When a staff member requires information on a patient’s health condition from another provider, he or she may request the information without restriction. The patient need not authorize this request.
The information requested must, however, be used for the purpose of evaluating the patient’s medical condition or determining a course of treatment. A patient may have requested and been granted a restriction on the information that is to be used or disclosed to other providers. In this situation, the restriction must be honored.
1.11 Use and Disclosure of PHI for Payment Purposes
Policy
Precision Care uses PHI for the purpose of obtaining payments for health care service.
Precision Care shall do so pursuant to its Notice of Privacy Practices and the HIPAA Privacy Rule. The use and disclosure of information for payment purposes does not require specific authorization, but only the minimum necessary amount of information must be made available.
Procedure
Use and disclosure of PHI is permitted under this policy to conduct the following activities:
-
Providing information to the patient’s health plan to determine the patient’s eligibility for benefits and coverage
-
Submitting a claim for services to the patient’s health plan
-
Processing credit card transactions or transactions to obtain authorization for personal checks
-
Providing information needed by the patient’s health plan to determine coverage, including information needed by the health plan to conduct medical review
The Privacy Officer shall oversee and ensure the compliance of Precision Care’s rules and practices in connection with the use and disclosure of PHI for payment-related activities. Before seeking payment for nonemergency treatment, a patient must be given the Notice of Privacy Practices, and a written acknowledgment of receipt must be obtained (as described in Section 1.17.2).
Use and disclosure of PHI for payment purposes is limited to the information that can be transmitted using the standards for electronic transactions. These restrictions apply whether the transaction is conducted electronically or using paper forms.
1.12 Use and Disclosure of PHI for Health Care Operations
Policy
Precision Care uses protected patient information pursuant to its Notice of Privacy Practices and under the guidance of the HIPAA privacy regulations for purposes of health care operations. No patient authorization is needed for the use and disclosure of PHI for certain health-care-operations-related activity, but only the minimum necessary amount of PHI must be made available.
Procedure
Use and disclosure of PHI is permitted under this policy to conduct the following health care operations:
-
Quality assessment and improvement
-
Professional credentialing
-
Medical and utilization review
-
Legal services
-
Auditing
-
Business planning and market research
-
Grievance procedures
-
Due diligence analysis related to sales and acquisitions
-
Creation of de-identified information and limited data sets
-
Customer service
-
Compilation of patient directories
-
Compliance monitoring
Before any Precision Care staff member uses or discloses PHI for any of the health care operations listed above, the staff member must consult with and receive the written approval of the Privacy Officer. (Written approval may apply to classes of activities, not only to specific instances, as appropriate.)
Also before using or disclosing PHI for any of the functions included in health care operations, Precision Care must give the patient its Notice of Privacy Practices and obtain an acknowledgement of receipt. Procedures for obtaining an acknowledgment are described in Section 1.17.2.
1.13 Use and Disclosure for Specialized Government Functions
Policy
Precision Care may use and disclose PHI without written patient authorization for certain specialized government functions as described below. These specialized government functions are:
-
Certain military and veterans activities, as required by the federal government
-
National security and intelligence activities
-
Protective service for the President of the United States and others as authorized by law
-
Certain medical suitability determinations
-
A correctional institution or other law enforcement custodial situation
-
Government programs providing and/or administering public health benefits
Given the unusual nature of this set of exceptions, staff members shall not cause PHI to be used or disclosed for these purposes except with the specific written approval of the Privacy Officer.
1.13.1 Use and Disclosure for Military, Government, Law Enforcement, and Judicial Purposes
Procedure
In certain cases, Precision Care may use and disclose information as appropriate to support military. missions if appropriately directed by federal government agencies
In certain cases, Precision Care may disclose PHI to authorized federal officials for the conduct of lawful intelligence, counterintelligence, and other national security activities authorized by law.
In certain cases, Precision Care may disclose PHI requested by law enforcement agencies without obtaining the patient’s authorization, if such request satisfies the applicable legal standards.
In all cases, Precision Care staff members must refer all such requests for PHI to the Privacy Officer. No disclosure of PHI may be made until the Privacy Officer reviews the request and approves the disclosure. The Privacy Officer is encouraged to seek the advice of qualified legal counsel before approving any such disclosure.
The following describes some specific situations where disclosure of PHI may be appropriate. But even in such cases, disclosure may not be appropriate, and therefore no disclosure shall be made until the Privacy Officer approves (with the advice of an attorney, if the Privacy Officer feels it to be necessary).
-
Reports of certain wounds and physical injuries to appropriate government agencies, as required by state law.
-
Health information requested by a subpoena, court order, order of administrative tribunal, summons, or other legal process.
-
Health information concerning the victim of a crime.
-
Evidence of criminal conduct on the premises of the practice.
-
PHI concerning emergency treatment when the disclosure is necessary to alert law enforcement agencies to the commission of a crime, the location of the victim(s) of a crime, or the identity, description, or location of a suspected perpetrator of a crime.
Even when disclosure is appropriate, HIPAA’s applicable “minimum necessary” rules must be followed.
In addition, before making any such disclosure, the Privacy Officer must obtain from the requesting party one of the following assurances:
-
A credible written assurance that the party seeking the PHI has made a goodfaith effort to provide a written notice to the subject of the request, has provided sufficient information to the subject of the request to permit the individual to object to the disclosure, and has resolved any objections that may have been raised.
-
Documentation that the party seeking the PHI has entered into or otherwise obtained a qualified protective order that a) prevents the parties to the legal action from using or disclosing PHI for any purpose not related to the litigation or legal proceeding for which the information was requested, and b) requires the return or destruction of the PHI at the conclusion of that proceeding.
1.13.2 Use and Disclosure for Public Health
Procedure
Precision Care may, when appropriate, report the following information to state and/or federal government agencies as required by law, whether or not the patient authorizes the disclosure:
-
Information required to compile vital statistics (births and deaths)
-
Information on communicable diseases
-
Information on reportable injuries
Before making any such disclosure, Precision Care staff members must consult the Privacy Officer, and shall not make any such disclosure without the Privacy Officer’s written approval.
On occasion, Precision Care staff members may receive requests for PHI received from government oversight agencies. All such requests must be sent to the Privacy Officer immediately. The Privacy Officer will review requests for PHI and obtain a legal opinion if he or she believes one is necessary before approving the disclosure of the requested information.
1.14 Use and Disclosure for Marketing and Fundraising
Policy
Precision Care will not use protected patient information for marketing or fundraising.
1.15 Other Uses and Disclosures of PHI
Policy
Precision Care will make PHI available as appropriate under the HIPAA privacy regulations.
1.15.1 Disclosure of Information for the Purpose of Cadaveric Organ Donation
Procedure
Following the death of a patient, Precision Care may disclose PHI to an organ procurement organization such as an eye bank or tissue bank without the patient’s prior authorization and without obtaining the authorization of the patient’s representative.
Precision Care, however, may not disclose this information if a patient or the patient’s representative has indicated that he or she does not want to donate organs or tissue, or if the patient has imposed a restriction on the disclosure of PHI for this purpose.
1.15.2 Disclosure of Information to Coroners and Medical Examiners
Procedure
Precision Care staff members may disclose PHI without the patient’s authorization to a coroner or medical examiner who requests the information for the following purposes:
-
Identification of a deceased person
-
Determination of the cause of death
-
Other purposes specified in state or federal law
We must verify the credentials of the coroner or medical examiner making the request prior to disclosure. If the request is made in person, staff should ask to be shown an official identification. If the request is made by telephone, staff should ask that the request be submitted in writing and should obtain the official address to which information should be sent.
Precision Care staff members must confirm that the information is being requested by the coroner or medical examiner to establish the identity of a deceased person or determine the cause of death.
The requested information must be sent only to the official address of the coroner or medical examiner.
1.15.3 Disclosure to Avert a Threat to Health or Safety
Procedure
Precision Care staff members may disclose PHI without the patient’s authorization if, in his or her professional judgment, such disclosure is necessary to reduce a serious and imminent threat to the health and safety of a person or the public.
-
Information may be disclosed only to a person who is able, in the staff member’s judgment, to prevent or lessen the threat.
-
If the patient has threatened to harm or injure another person or persons, that threat may be disclosed to the person(s) identified by the patient as the target(s).
Except in an emergency situation, staff members must consult with and obtain approval from the Privacy Officer before making any such disclosure. The Privacy Officer will review the underlying facts and will obtain a legal opinion if he or she believes one is necessary before approving the disclosure.
1.15.4 Disclosure to Disaster Relief Agencies
Procedure
Precision Care may disclose information about a patient’s location, medical condition, or death to disaster relief organizations (such as the Red Cross) that are authorized by law or by their charters to assist in disaster relief efforts, even without the patient’s authorization, if failing to do so would interfere with the organization’s ability to respond to an emergency.
1.15.5 Disclosure for Purposes of Research
Procedure
Precision Care may use and disclose PHI for purposes of research with authorization from the patient. In some instances, we may also do so without specific signed authorization.
Precision Care staff members may provide researchers with PHI in the following instances:
-
With a signed authorization from the patient (sometimes found within the informed consent form for the research study)
-
With a HIPAA waiver from the applicable institutional review board or privacy board
-
When a data use agreement is in place with the researcher and there is a “limited data set” provided to the researcher, as described in the data use agreement
-
If the information has been “de-identified” by a method permitted by the HIPAA Privacy Rule
1.15.6 Disclosures to Schools Regarding Immunizations
Procedure
Staff may disclose information regarding immunizations about a patient who is a student or a prospective student at an educational institution, if those immunizations are required by the state or other law for admission. Certain requirements must be met in order to provide this information to the educational institution:
-
A request must come from the educational institution or from the parent/guardian/patient.
-
The PHI to be provided to the school is limited to the proof of the immunizations required.
-
The school must be required by state or other law to have proof of these immunizations on file before admission of this student.
-
The parent, guardian, or the individual himself (if he or she is of age or an emancipated minor) must agree to the disclosure, and this must be documented by the practice.
1.15.7 Disclosure of PHI After Death
Procedure
Precision Care will handle the PHI of a deceased individual according to the policies and procedures that apply to the PHI of living patients. The death of a patient does not reduce the privacy protections that his or her PHI will receive until 50 years after his or her death. At that point, health information is no longer considered PHI unless specially protected by a law other than HIPAA.
1.16 Communications and Media Relations
Policy
It is the policy of Precision Care to ensure that all associates who engage in communications and media relations activities on behalf of the organization do so in a manner compliant with the HIPAA privacy regulations.
Procedure
Internal Uses of PHI
Interviews with and/or articles about individuals circulated within Precision Care. When writing articles or stories that are printed in publications circulated within Precision
Care, the staff member may contact the individual patient (or the patient’s provider) so as to obtain signed authorization from the patient to allow Precision Care to interview him or her and to obtain information to publish in the article or story.
Patient satisfaction surveys. Quality assessment and improvement activities are considered “health care operations” under the privacy regulations. To conduct patient satisfaction surveys, which are quality assessment and improvement activities, Precision Care must state in its Notice of Privacy Practices that it may use PHI for health care operations. If Precision Care uses a vendor to conduct patient satisfaction surveys on behalf of Precision Care, there must be a business associate agreement in place.
External Disclosures of PHI
Media inquiries regarding an individual. Directories of facilities in which Precision Care provides services may contain the following information about an individual: (a) name, (b) location in the facility, (c) the condition of that individual in terms that do not communicate specific medical information (for example, critical, satisfactory, good), and (d) religious affiliation. To the extent it is within Precision Care’s discretion to do so, Precision Care must give individuals the opportunity to restrict or prohibit the use or disclosure of PHI for facility directories. Precision Care will never disclose this information to the media, and its staff members must not do so, without the patient’s prior written authorization.
When the media do not know an individual’s name but give other identifying information such as location or address of an accident, Precision Care may disclose nonpatientspecific information, such as age and gender, in addition to the condition of the individual. If the media inquire about an individual by name, subject to that individual’s objection, Precision Care may give the media the information contained in the facility directory.
Media requests for interviews with and/or articles about an individual. Staff members shall not disclose any PHI to individuals or entities who request such information for a news article or story, unless the patient has given written authorization to do so.
Photographs, videos, or other images of individuals. Precision Care must obtain an individual’s written authorization before photographing or taking a video of that individual for medical education, staff education, or publicity purposes. If the individual’s written authorization specifically allows the reuse of the information described above, the information may be reused in accordance with the authorization. If the authorization does not specifically allow the reuse of information, the information may not be reused without an additional authorization.
1.17 Notice of Privacy Practices
Policy
All individuals who receive health care services from Precision Care have the right to receive adequate notice of how Precision Care may use or disclose their PHI, and of their rights and Precision Care’s responsibilities with respect to their PHI. These notices are contained in the Notice of Privacy Practices. Precision Care shall provide a Notice of Privacy Practices to each patient promptly upon beginning to provide services to the patient, and to any other person who requests a copy.
A sample Notice of Privacy Practices as well as a sample acknowledgment form are found in Appendix A in the back of this manual.
Procedure
The Privacy Officer is responsible for developing the Notice of Privacy Practices (sometimes referred to herein as the “Notice”).
The Notice must be written in language that most patients of average intelligence and education will be able to understand. The notice must contain the following elements.
The following language must appear exactly as it is shown here and must be prominently displayed at the top of the notice:
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE
USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
INFORMATION. PLEASE REVIEW IT CAREFULLY.
Uses and Disclosures
The Notice that the Privacy Officer will develop must describe and give examples of how Precision Care may use and disclosure PHI for purposes of treatment, payment, and health care operations.
It must identify the legally mandated disclosures that may be made without the patient’s authorization.
It must also indicate that any other use or disclosure of PHI requires the patient’s written authorization, and that the patient can revoke his or her authorization.
Additional Uses of Information
The Notice must identify and describe the other ways in which Precision Care may use PHI. For example, if Precision Care may use PHI in the preparation of appointment reminders, in offering information about treatment and other health-related benefits or services, or in conducting fundraising for the practice, the Notice must say so and explain these circumstances.
Individual Rights
The Notice of Privacy Practices must identify the patient’s rights under the HIPAA Privacy Rule. These include:
-
The right to request restrictions on use/disclosure of PHI
-
The right to receive confidential communications
-
The right to inspect and copy PHI
-
The right to amend PHI
-
The right to receive an accounting of disclosures
-
The right to receive a printed copy of the Notice of Privacy Practices itself
Precision Care’s Duties
The Notice must describe Precision Care’s duties, specifically with respect to maintaining the privacy of PHI, giving the Notice of Privacy Practices to patients, and abiding by the terms of that notice.
Right to Revise Privacy Practices
The Notice must clearly state that the organization reserves the right to modify its privacy practices and that should it do so, the revised Notice will be made available to patients upon their request.
Complaints
The Notice must outline the procedure for submitting complaints concerning Precision Care’s privacy practices, and for reporting suspected violations of privacy rights.
It also must state that Precision Care will not retaliate against the patient for submitting a complaint or reporting a suspected violation.
Contact Person
The Notice must give the name, address, and telephone number of the Privacy Officer.
Effective Date
The Notice must state its effective date. The effective date may not be earlier than the date on which the Notice is printed and made available for distribution.
In the case of revisions to the Notice, the effective date of the revised Notice may not be earlier than the printing and release date of the revised Notice. In other words, the policies described in the Notice cannot go into effect before patients have been informed of the policies.
1.17.1 Giving the Notice of Privacy Practices to Patients
Procedure
The Notice of Privacy Practices must be given to all patients at the time of their first receipt of services from Precision Care. The notice must also be given to any patient who requests one at any time.
-
All patients will be given a copy of the notice during their first contact following [date of policy], whether in person in the office, via a telephone consultation or through other electronic means such as email.
-
Any patient who requests a copy of the notice will be given a copy.
-
A copy of the notice will be posted in waiting areas. If the medical practice maintains a website, the notice will be posted on that site. An individual who receives a copy of the notice electronically (by email) also may request a printed copy of the notice.
Note: In situations where Precision Care staff members are providing services as part of an organized health care arrangement (“OHCA”), then Precision Care and the other members of the OHCA can satisfy their obligation to provide each patient with a Notice of Privacy Practices by providing a single, joint notice that covers all of the participating covered entities. The Privacy Officer shall determine whether it is appropriate to do so in a given situation.
1.17.2 Acknowledgment of the Notice
Procedure
All patients must be asked to sign an acknowledgment that they have received a copy of the Notice of Privacy Practices. Obtaining the acknowledgment is the responsibility of the receptionist, intake administrator, or other staff member that the Privacy Officer designates.
If the patient cannot sign the acknowledgment, his or her personal representative may sign the acknowledgment. If the patient cannot sign the acknowledgment and a personal representative is not available or if the patient refuses to sign the acknowledgment, the staff member who requests the acknowledgment must document the attempt to obtain an acknowledgment and briefly summarize the reason it was not obtained.
When a patient requires emergency treatment, providing the notice and obtaining an acknowledgment should be delayed until the patient’s condition has been stabilized. Copies of all signed acknowledgments should be included in the patient’s medical record or filed with the Privacy Officer.
1.18 Authorization of Use or Disclosure
Policy
In certain situations, Precision Care will only use and disclose PHI pursuant to a written, signed patient authorization. The authorization must comply with the HIPAA Privacy Rule and any pertinent state laws.
A sample Authorization to Use and Disclose Protected Health Information form is found in Appendix A in the back of this manual.
Procedure
When a Precision Care staff member knows in advance of collecting or creating PHI that the information will be used or disclosed for a purpose not covered by the Notice or that otherwise requires authorization, the staff member must attempt to obtain the patient’s authorization at the time the information is collected.
It is not necessary, however, to obtain the patient’s authorization before the information is created. Authorization can be obtained at any time after it is created but before the information is used or disclosed for a purpose that requires patient authorization.
The staff member who uses or discloses the information is responsible for obtaining the patient’s authorization. A staff member’s failure to do so will be subject to sanction under the Sanctions and Penalties Policy.
The staff member who obtains the authorization must provide a copy of the signed authorization to the patient or the patient’s representative.
The staff member who requests the authorization should help the patient to complete the sections that describe the information to be used or disclosed, the purposes of the use or disclosure, the persons who will use or disclose the information, and the persons to whom the information will be disclosed.
-
The medical practice staff member or a person designated by the staff member should review the authorization request with the patient.
-
The patient may request restrictions on the use and disclosure of PHI. The staff member requesting the authorization should consider these requests and may, at his or her discretion, accept or reject them. Accepted restrictions should be clearly noted on the authorization form.
-
The patient should sign and date the authorization form.
-
The signed and dated authorization form should be placed in the patient’s record.
-
The patient must be given a copy of the signed and dated authorization form.
1.18.1 Patient’s Refusal to Sign an Authorization Form
Procedure
Precision Care cannot refuse treatment to any patient for refusing to authorize a specific use or disclosure, except under the following circumstances:
-
The treatment is available only to participants in a research study. A patient who does not authorize use of information for research may be refused treatment that is available only to participants in the research study.
-
The services to be provided have no purpose other than responding to a request for information from another entity (for example, from a parent requesting a physical for a child who wants to participate in sports programs).
When a patient refuses to sign an authorization, it should be determined whether the request involves information included in either of the two categories listed above.
If the authorization is for use and disclosure of information for purposes of researchrelated treatment, the patient should be told that the treatment is available only to participants in a study and that participants must authorize use and disclosure of their information in the study.
If the authorization involves a request for information from another organization, the patient should be told that the services will not be provided unless disclosure is authorized.
If the patient continues to refuse to sign the authorization, the persons requiring the authorization should be notified of the patient’s refusal.
1.18.2 Revoking Authorization for Use or Disclosure
Procedure
A patient has the right to revoke an authorization. The revocation must be in writing and must be attached to the related authorization.
-
A patient who indicates that he or she wants to revoke an authorization should be given an authorization revocation form.
-
The Precision Care employee who sought the original authorization, if he or she is available, or another staff member should explain to the patient that revoking the authorization will not affect any use or disclosure of information that has already occurred.
-
The patient must sign and date the revocation form. The revocation form must then be appended to the authorization and included in the patient’s records.
1.19 Patient Requests for Restrictions on Uses and Disclosures of Confidential Communications
Policy
Precision Care recognizes that every patient has the right to request restrictions on specific uses and disclosures of PHI, as well as to request confidential communications in certain instances.
1.19.1 Patient Requests for Restrictions on Use and Disclosure
Procedure
A patient may request restrictions on the use and disclosure of PHI for treatment, payment, and health care operations as described in the Notice of Privacy Practices. A patient also may request restrictions on the use and disclosure of PHI covered by an authorization form.
Precision Care should consider these patient requests but is not required to accept them. We will generally accept a request for a restriction on the uses and disclosures that are described in the Notice of Privacy Practices or outlined in an authorization only if the following criteria are met:
-
The request will not impede treatment, payment, or Precision Care’s day-today functioning.
-
The restrictions will not interfere with the purpose for which an authorization is being sought.
-
The patient has valid reasons for requesting the restrictions, in the judgment of the patient’s physician.
One instance in which Precision Care will be required to accept the requested restriction is when a patient has requested a restriction on a release of information to a third-party payer for a service he or she has already paid for in full out of pocket. In that instance, Precision Care must accept the individual’s request for restriction, unless it is otherwise prohibited by law.
Once Precision Care accepts requested restrictions, Precision Care and its staff members must honor the restrictions unless doing so would interfere with emergency treatment.
-
All restrictions to which Precision Care agrees must be documented in writing.
-
A restriction on the disclosure of information that a patient requests and to which Precision Care agrees does not prevent Precision Care from disclosing information that is mandated by law.
-
All requests for restrictions must be forwarded to the Privacy Officer (or a designee) to determine whether the requested restriction would impede the use of information for treatment, payment, or health care operations.
-
The Privacy Officer (or designee) will ask the patient to explain why he or she is seeking the restriction.
-
Precision Care should agree to the restriction if, in the judgment of the Precision Care, it will meet the requirements set out in this policy.
-
If the request is agreed to, it must be documented on the authorization form to which it applies.
1.19.2 Termination of Restrictions on Use and Disclosure
Precision Care may terminate a restriction on the use and disclosure of PHI to which it has agreed, with the exception of any restrictions that we are required by law to accept.
Each patient must be notified of any termination of a restriction and must be given an opportunity to agree or disagree with the termination.
-
If the patient agrees to the termination, information collected before the date of the termination may be used or disclosed as though the restriction had never been accepted.
-
If the patient does not agree to the termination, only information collected after the date of the termination may be used or disclosed without considering the restriction. The restriction will continue to apply to information collected before the date of the termination.
-
The termination of a restriction must be attached to the authorization form in which the restriction appears.
-
A Precision Care staff member who wishes to terminate a restriction should contact the Privacy Officer and discuss the need for the termination
-
The termination request should be approved if the continuation of the restriction would substantially impede treatment, payment, or the day-to-day operation of the practice.
-
The staff member will then contact the patient to discuss the need for the termination and to seek the patient’s agreement.
-
If the patient agrees to end the restriction, he or she must sign a statement to that effect. If the patient is not available to sign a written statement, his or her oral agreement should be noted, signed, and dated by the staff member who discussed the termination with the patient.
-
The termination of the restriction must be attached to the authorization form in which the restriction appears.
1.19.3 Patient Requests for Confidential Communication
Precision Care staff members must accommodate a patient’s request for confidential communication if the following criteria are met:
-
The patient provides an alternative address or telephone number at which he or she may be contacted.
-
The request can be accommodated without limiting the Precision Care’s ability to submit claims to the patient’s health plan.
If the request for confidential communication will prevent Precision Care from submitting claims to the patient’s health plan, the request will be accommodated only if the patient identifies another method of paying for services.
Requests for confidential communication must be made in writing. The staff member may provide the patient with a confidential communication request form, or the patient may simply submit a written request.
The staff member must not require the patient to explain why he or she wants to receive confidential communications, although the staff member is permitted to request such an explanation. The patient may refuse to provide any explanation or justification for his or her request.
-
When a patient requests confidential communication of PHI (for example, the results of diagnostic tests), the staff member to whom the request is made should tell the patient that the request must be made in writing and explain the conditions that must be met before the request will be granted.
-
A staff member will then give the patient a confidential communication request form.
-
The staff member will then inform the patient that the request will be accommodated if the patient provides an alternative means of making confidential communications. For example, the patient could provide a telephone number at which messages to contact the provider can be left. No method of contacting the patient that prevents a staff member from identifying both the patient and the medical practice will be considered acceptable.
-
The request for confidential communication must be documented in writing.
1.20 Personal Representatives
Policy
It is Precision Care’s policy to recognize personal representatives as required by the HIPAA privacy regulations. A personal representative may act on behalf of the patient for the purposes of authorizing use and disclosure of PHI, or receiving information that otherwise would be sent to the patient.
1.20.1 Designation of a Personal Representative
Procedure
A personal representative may be the spouse, adult child, or other member of the patient’s family. A personal representative also may be a close personal friend, or any individual with power of attorney or other legally recognized authority to make medical decisions on behalf of the patient if he or she is incapacitated or otherwise unable to make decisions.
A patient may designate a personal representative in writing. However, a person who is identified in the patient record as having medical power of attorney or other legal authority to act on behalf of the patient will be recognized as a personal representative.
A parent or legal guardian of an unemancipated minor (generally a child under the age of 18) will be recognized as a personal representative of the child.
-
A Precision Care receptionist, intake administrator, or other staff member that the Privacy Officer designates should ask the patient to identify an individual or individuals who may act as the patient’s personal representative on the acknowledgment form.
-
If a patient becomes incapacitated, a person accompanying the patient will be recognized as the patient’s personal representative if he or she can present evidence of having legal power of attorney or other legally recognized authority to make medical decisions on behalf of the patient.
-
The parent or legal guardian of an unemancipated minor will be recognized as the personal representative of a child, subject to the restrictions contained in Section 1.21.
1.20.2 Authority of Personal Representative
Procedure
If a patient is incapacitated, a personal representative may sign any form (such as authorization, revocation of authorization, and request for access to information) on the patient’s behalf, the uses of which are described in this privacy manual.
A personal representative may receive PHI concerning the patient necessary to carry out the representative’s legal duties to the patient (for example, providing an informed consent to treatment, or for enforcing an advance directive concerning life support).
1.20.3 Refusal to Recognize Personal Representative
Procedure
A Precision Care staff member may refuse to disclose information to a person identified as a patient’s personal representative if the staff member believes that disclosing such information may endanger the patient.
-
A staff member who believes that disclosing information to a personal representative may endanger the patient must notify the Privacy Officer immediately.
-
Requests from the personal representative for information concerning the patient should promptly be referred to the Privacy Officer.
1.21 Parental Access to PHI Concerning Children
Procedure
A parent, guardian, or other person recognized by state law as acting in loco parentis on behalf of a patient who is an unemancipated minor will be recognized as the patient’s personal representative.
Note: In this policy the term “parent” refers to a parent, guardian, or other person acting in loco parentis.
A parent may act as a personal representative unless state or other law permits the minor to request that information not be shared with a parent.
Generally, Precision Care requires a parent’s signature on any authorization forms for a minor patient unless the patient requests that his or her parents not be notified.
The Privacy Officer is responsible for reviewing any minor’s request for confidentiality pertaining to the use or disclosure of PHI that relates to a parent to determine whether the request complies with state and federal laws.
1.22 Disclosure of Information to Family Members
Procedure
PHI concerning a patient may be disclosed to a family member, other relative, or close personal friend of the individual who requires the information to assist in the patient’s care and treatment, subject to the following rules and restrictions.
• If the patient is able to, he or she must agree to the sharing of this information before it occurs. Patients should generally be asked whether information may be shared with family members. However, permission can be assumed if the patient has an opportunity to object to disclosure of information to family members and does not do so.
• If the patient is incapacitated, Precision Care staff members may exercise their professional judgment in determining when it is in the patient’s best interests to disclose PHI to the family member, relative, or close personal friend.
The information that may be disclosed to a family member, relative, or close personal friend is limited to information directly relevant to that person’s involvement in the patient’s care.
• If possible, disclosure of information to others should occur when the patient is present or after the patient has expressly agreed to the disclosure.
• If the patient is present or available for consultation concerning the disclosure, he or she should be given an opportunity to object to the disclosure. If the patient objects, the information should not be disclosed.
• If the patient is not present or available for consultation, or is incapable of agreeing or objecting to the disclosure, the attending physician should be asked to apply his or her best professional judgment to determine whether disclosure is in the best interest of the patient.
• If the patient agrees to the disclosure or the disclosure is determined to be in the best interest of the patient, only that information that is directly relevant to the family member’s involvement in the patient’s care may be disclosed.
1.23 Patient Access to PHI
Policy
Patients have the right to receive access to their PHI under the HIPAA privacy regulations. It is the policy of Precision Care to ensure that these rights are met.
1.23.1 Patient Requests for Access to PHI
Procedure
A patient or a patient’s representative may, subject to approval under Section 1.23.3, inspect and obtain a copy of patient information maintained in medical records or other information systems of Precision Care. The procedures for doing so are as follows:
• A patient must submit a request to inspect or copy PHI as provided for in Section 1.23.2.
• The request will be reviewed under Section 1.23.3.
• If the request is denied, the patient will be informed as provided for in Section
1.23.4.
• If the request is approved, the patient will be given access to the requested information as provided under Sections 1.23.5 – 1.23.8.
1.23.2 Requests for Access to PHI
Procedure
A patient may inspect or copy his or her PHI by requesting the opportunity to do so in writing.
• When a patient or the patient’s representative requests access to information, he or she should be told that all requests to inspect or copy PHI must be submitted in writing. The patient should be referred to the Privacy Officer.
• The Privacy Officer will give the patient or the patient’s representative a copy of a request form and explain Precision Care’s policies on allowing patients to inspect their information.
• Upon receipt of a request form, the Precision Care will review the request as explained in Section 1.23.3.
1.23.3 Review of Patient Requests for Access to PHI
Procedure
All requests for access to personal health information will be sent promptly to the Privacy Officer. A copy of the request will be filed in the patient’s records.
The Privacy Officer will consider the restrictions on access listed below when determining whether to approve or deny the request to inspect or copy PHI.
A decision to grant the patient or the patient’s personal representative permission to inspect or copy the requested information will be made within 30 days of the date the request is submitted.
If the PHI is maintained in electronic form and the patient would like to view the information or receive a copy of it in electronic form, he or she must make that request specifically on the request form.
Restrictions on Access
• Psychotherapy notes will not be made available to the patient unless approved by the treating therapist or successor.
• Information compiled in anticipation of, or for use in, legal proceedings will not be made available to the patient or the patient’s legal representative unless required by law or court order.
• Information that, by law, may not be disclosed to the patient will not be made available to the patient or the patient’s representative.
• Information will not be made available if a licensed health care professional believes that it is likely to endanger the life or physical safety of the patient.
• Information will not be made available if a licensed health care professional believes that access to the information is reasonably likely to cause substantial harm to a person other than the patient who is referenced in the patient’s records.
• Information will not be made available to a personal representative of the patient if a licensed health care professional believes that access to the information by the personal representative is reasonably likely to cause harm to the patient or to another person.
The Privacy Officer will review each request to inspect or copy PHI and will contact the patient’s physician or other licensed health care professional to determine if there are any reasons to restrict the patient’s or patient representative’s access to the information.
If the request is rejected, wholly or in part, the patient will be notified using the procedures outlined in Section 1.23.4.
If the request is approved, the patient will be notified and arrangements made for the patient to inspect or copy the requested information using the procedures described in Sections 1.23.5 – 1.23.8.
1.23.4 Communication of Denial of Requests for Access to Personal Health Information and Review of Decision to Deny Access
Procedure
A written explanation of the denial of a patient’s request to inspect or copy PHI will be prepared using the appropriate form. If an alternative, such as a summary of the requested information, could satisfy the patient’s request at least in part, the communication should describe that alternative.
A patient or the patient’s representative whose request to inspect or copy PHI is denied may request a review of that decision by a licensed health professional who was not involved in the decision to deny the request.
• When the Privacy Officer receives a copy of the denial notice indicating that the patient is requesting a review of the denial, the Privacy Officer must forward the request to a licensed health professional who was not involved in the original denial and ask the physician to review the decision.
• The review should be completed within 30 days. The Privacy Officer will follow up with the reviewing physician if the review is not completed within 30 days.
• The Privacy Officer will then communicate the result of the review to the patient using the reviewer form, and Precision Care will abide by it.
1.23.5 Timing of Inspection of Records
Procedure
Although requested information is generally made available to the patient within 30 days of the date the request is made, that time period can be extended to 60 days if the records in question must be retrieved from off-site storage.
1.23.6 Communication of Decision to Permit Inspection or Copying of PHI
Procedure
Precision Care will communicate the approval of a patient’s request to inspect or copy PHI to the patient or the patient’s representative using a request approval form.
• The Privacy Officer will determine the earliest date at which the requested information can be made available.
• The form must specify the date and time that the records will be available for copying or viewing.
• The Privacy Officer or a designated staff person will prepare the approval form and send it to the patient.
1.23.7 Arrangements for Inspection of PHI by Patients
Procedure
Arrangements should be made to provide access to PHI at a place and time convenient for the patient.
The patient must inspect the records on the premises of the medical practice. If this is not satisfactory to the patient, he or she should be given the option of having copies made and sent to an address that he or she specifies. However, the patient may be charged the cost of preparing and mailing the copies or for the supplies and labor to put together the electronic version for mailing.
1.23.8 Fees for Copying Personal Health Information
Procedure
If the patient requests copies of personal health information maintained by the medical practice, he or she will be charged a flat fee of $______.____ plus $______.____ per page. If the patient requests their records be put onto a disk or USB drive, he or she will be charged a flat fee of $______.____ plus $______.____ for the supplies.
1.24 Amendment of Health Information
Policy
Patients have the right to request that amendments be made to their PHI under the HIPAA privacy regulations. It is Precision Care’s policy to ensure that these rights are met.
Procedure
A patient may request amendment of the information maintained by Precision Care in the designated record sets listed below. The patient must follow the procedures outlined in Section 1.24.1 when requesting amendment of information maintained by Precision Care.
Designated Record Sets
Patients may request amendments to information contained only in the following record sets:
• The patient’s medical records
• The patient’s billing records
• Other records that contain PHI used to direct treatment
1.24.1 Procedures for Requesting Amendment of Information
Procedure
Patients may request amendments to their PHI by submitting the patient information amendment form.
• Patients who indicate their belief that the information in their records is incorrect should be given a patient information amendment form.
• Patients will be referred to the Privacy Officer, who will resolve questions about the form and whether amendment is appropriate (see Section 1.24.2).
1.24.2 Action on Requests for Amendment of Information
Procedure
The Privacy Officer may deny a patient’s request to amend records if the following criteria are met:
• The information to be amended was not created by Precision Care but was received from another entity.
• The information to be amended is accurate and complete.
• The information to be amended does not exist in the specified records.
• The information to be amended is not available for inspection by the patient or the patient’s representative (see Section 1.23.1).
Action must be completed on any request for amendment within 60 days of receiving the request. If action cannot be completed within 60 days, Precision Care must notify the patient of the delay, including the reasons for the delay, and complete the review within 90 days of the date the request was originally received.
• All patient information amendment forms should be forwarded to the Privacy Officer.
• The Privacy Officer should contact the patient’s licensed health care professional (or a staff member he or she designates) and request that they review the requested amendments.
• The licensed health care professional (or designee) must indicate which, if any, of the requested amendments should not be made because the information in the patient’s record is accurate and complete or meets the other requirements for denying a request that are listed above.
• The physician or designated staff member should then return the form to the Privacy Officer.
• The Privacy Officer should review the form after it is returned by the patient’s physician and identify any information that should be amended.
• The Privacy Officer should initiate the procedures for amending PHI specified by Sections 1.24.4 – 1.24.5.
• The Privacy Officer should prepare a response to the patient as required by policies in Sections 1.24.6 – 1.24.8.
1.24.3 Communication of Decision on Requests for Amendment of Information
Procedure
After completing the review of a patient’s request for amendment of PHI, the Privacy Officer will complete the patient information amendment form by indicating the disposition of each requested amendment.
A copy of the completed patient information amendment form will be sent to the patient along with any explanatory comments that the Privacy Officer believes to be necessary.
The patient will be asked to submit the names and addresses of any organizations or individuals that he or she has reason to believe have received the uncorrected information for the purpose of notifying them of the amendment.
1.24.4 Procedures for Amendment of Internal Records
Procedure
When a patient’s request for amendment of PHI is approved, either of the following procedures should be followed:
• The records containing the affected information are updated.
• The amended information is linked to the original information.
The Privacy Officer will refer the request for amendment to the staff member responsible for maintaining the affected records and will identify the records that need to be amended. Those records should either be amended or be linked to the amended information (that is, contained in a new or corrected record where it will be available when the affected information is used or disclosed in the future).
1.24.5 Notifying Other Parties That Information Has Been Amended
Procedure
When a patient’s PHI is amended pursuant to a patient’s request, Precision Care must provide notice of the amendment to all other organizations to which the information being amended has been disclosed.
Organizations to be notified include:
• Business associates, health plans, and other providers the Privacy Officer can identify as having received the information
• Persons and organizations the patient can identify as having received the information that requires amendment, but only to the extent that the Privacy Officer can confirm that these persons or organizations previously received the information
Precison Care is not required to confirm that the organizations or other entities notified of the amendment have updated their records.
1.24.6 Denial of Request for Amendment
Procedure
When a request to amend PHI is denied, Precison Care will notify the patient of the decision in writing. The notice sent to the patient must advise the patient of the following:
• The patient may submit a statement of disagreement that will become part of his or her records and will, in the future, be disclosed to any person or organization that receives the identified information.
• If the patient does not submit a statement of disagreement, he or she may ask the medical practice to include the request for amendment and the denial in any future disclosure of the identified information to any person or organization that receives the identified information.
• The patient may file a complaint with the provider concerning the request for amendment (a description of how the patient can file this complaint must be included in the notice).
The letter must identify the name, mailing address, and telephone number of the Privacy Officer.
1.24.7 Statement of Disagreement
Procedure
If the patient disagrees in writing when notified that a request for amendment of protected information has been denied, the Privacy Officer will review the objection and append or link it to the patient’s record. This will ensure that the objection will accompany the original information when it is used or disclosed in the future.
The Privacy Officer may prepare an accurate summary of the patient’s statement of disagreement if he or she believes that a summary will adequately provide a clear understanding of the disputed information.
1.24.8 Rebuttal of Disagreement
Procedure
If a patient disagrees in writing when notified that a request for amendment of PHI has been denied, the Privacy Officer will review the statement and determine whether a formal rebuttal or response, as provided for in federal regulations, is necessary. If it is determined that a rebuttal is necessary, the Privacy Officer will prepare and append it to the patient’s records.
• The Privacy Officer will consult as necessary with the patient’s licensed health care professional to make this determination.
• Both the patient’s statement of disagreement and the rebuttal statement will be noted in the patient’s records.
• The statement of disagreement and the rebuttal will be either included in the patient’s records or linked to those records to permit them to be included with the original information when it is used or disclosed in the future.
• A copy of the rebuttal statement will be sent to the patient.
1.24.9 Receipt of Notification of Amendment
Procedure
When notified by another medical practice, health plan, or other covered entity that PHI received earlier has been amended, Precision Care will follow the procedures in place for handling its own amended information.
1.25 Accounting to Patients for Disclosures of Information
Policy
Patients have the right to request an accounting of specific types of uses and disclosures of their PHI made under the HIPAA privacy regulations. It is the policy of Precision Care to ensure that these rights are fulfilled.
1.25.1 Procedure to Request an Accounting of Disclosures
Procedure
To receive an accounting of disclosures of PHI, a patient must submit a written request to the Privacy Officer.
• A patient who indicates to any staff member that he or she would like to receive an accounting of disclosures should be told to contact the Privacy Officer.
• The Privacy Officer will provide the patient with a disclosure accounting form and review the types of disclosures that will be reported in the accounting.
• The Privacy Officer will determine whether the ability of the patient to obtain an accounting of disclosures has been suspended in response to a request from a law enforcement or health oversight agency.
• If the patient’s right to an accounting has not been suspended, the Privacy Officer will start preparing an accounting.
1.25.2 Charges for Accountings of Disclosures
Procedure
If a patient requests more than one accounting during any 12-month period:
• The patient will not be charged for the first accounting.
• If the patient received an accounting for which he or she was not charged during the preceding 12 months, he or she will be informed that the medical practice will charge $______.____ for the second accounting. If the patient agrees to pay this fee, the accounting will be provided.
1.25.3 Suspension of a Patient’s Right to Receive an Accounting of Disclosures
Procedure
A law enforcement or health oversight agency may request that Precision Care suspend the patient’s right to request an accounting of disclosures. All such requests from law enforcement agencies must be submitted in writing. The written request must indicate that providing an accounting is likely to impede the agency’s activities and must also specify a time period during which the patient’s right will be suspended.
Requests for suspensions that last more than 30 days must be made in writing, and must include a justification for the need to suspend for the requested time period. If a written request is not submitted, the individual’s right to an accounting may be suspended for no more than 30 days.
• Precision Care will direct all communications from a law enforcement or health oversight agency that request the suspension of a patient’s right to an accounting of disclosures to the Privacy Officer.
• The Privacy Officer will verify the credentials of the government official that makes a verbal request and document the identity of the official or agency.
• The Privacy Officer will place the patient’s name on a list of persons whose right to an accounting has been suspended pursuant to an official request.
1.25.4 Information to Be Provided in an Accounting of Disclosures
Procedure
The information that will be provided to patients pursuant to the patient’s request for an accounting of disclosures includes:
• The date of the disclosure
• The name of the entity or person who received the PHI
• A brief description of the purpose of the disclosure or a copy of the authorization for the disclosure
Note: Disclosures to other covered entities or business associates for purposes of treatment, payment, and health care operations should not be included in the accounting.
1.25.5 Documentation of Accountings Provided to Patients
Procedure
Precision Care must make copies of all accountings of disclosed information prepared for patients. The copies must be kept for six years.
1.25.6 Documentation of Disclosures Requiring an Accounting
Procedure
Each time a staff member discloses PHI (other than to other covered entities or business associates for purposes of treatment, payment, and health care operations), the staff member must document the disclosure.
• Any disclosure, other than a disclosure for purposes of treatment, payment, or health care operations, will be documented by completing a disclosure accounting form.
• The disclosure accounting form will be forwarded to the Privacy Officer, who will update the files and databases that are used to prepare accountings of disclosures.
1.26 Submission of Complaints
Policy
Precision Care has adopted a process by which complaints regarding potential privacy violations can be submitted for investigation by the Privacy Officer or a designee.
Procedure
A patient or other individual who wants to file a complaint concerning Precision Care’s privacy policies and procedures, or a suspected disclosure of PHI that violates federal or state law, should:
• Be directed to the Privacy Officer (or a designee) for answers to questions about filing complaints
• Be provided a copy of the complaint form by the Privacy Officer (or a designee) to be returned by mail to the address printed on the form, or in person by leaving it with the Privacy Officer (or a designee)
1.27 Complaint Resolution Procedures
Policy
It is Precision Care’s the policy to work to resolve every complaint raised by an individual. All potential violations of privacy will be investigated.
1.27.1 Complaints Concerning Privacy Policies and Procedures
Procedure
Precision Care’s procedures for resolving complaints submitted by patients or other individuals concerning Precision Care’s privacy practices or the policies and practices established in this manual are outlined below.
• Upon receiving a complaint (either a complaint form or a letter outlining a complaint), the Privacy Officer or a designated staff member will review the complaint, evaluate the specific details of the complaint, and determine whether the complaint warrants a change in the privacy policies or procedures of the medical practice.
• If a change appears to be warranted, the staff member conducting the evaluation will develop a recommendation and submit it to the Privacy Officer, who will determine whether an immediate change in policies and procedures is needed to prevent a violation of federal or state privacy standards, laws, or regulations.
• If it is determined that a change in policies and procedures is necessary, a revised policy will be prepared following the procedures outlined in Section 1.8. The Privacy Officer will prepare a response and send it to the individual submitting the complaint. The response should thank the individual for his or
her interest. It should indicate that the suggestion has been evaluated, and state that Precision Care believes that its procedures, as revised, comply with federal and state requirements
• If a change does not appear to be warranted, the Privacy Officer will prepare a response and send it to the individual submitting the complaint. The response should thank the individual for his or her interest and indicate that the suggestion has been evaluated but that Precision Care believes that its current privacy procedures comply with federal and state requirements and are sufficient to protect patient privacy.
• Receipt of the complaint and its final disposition should be documented using the procedures outlined in Section 1.27.
1.27.2 Complaints Arising from Possible Violations of Privacy Policies
Procedure
The procedures that Precision Care will use to resolve complaints that patients or other individuals submit concerning the disclosure of PHI are outlined below.
• A staff member who receives a complaint from a patient or other individual that concerns a possible use or disclosure of PHI that violates Precision Care’s privacy policies and procedures, or that violates federal and state law, must immediately refer the complaint to the Privacy Officer.
• The Privacy Officer will review the complaint and determine whether a violation occurred and, if so, whether the violation involves only the privacy policies and procedures established in this manual or also involves a violation of federal and state privacy laws and standards.
• If the Privacy Officer determines the complaint may involve a violation of federal or state standards and legal requirements, he or she will immediately forward the complaint to Precision Care’s legal counsel for evaluation. The request for evaluation should specify a date by which the evaluation should be completed.
• The Privacy Officer should follow up and track the status of the referral. If the evaluation indicates that federal or state standards may have been violated, Precision Care will follow the mitigation procedures established in Section 1.28.
• If the Privacy Officer determines that the complaint does not involve a violation of federal or state standards and legal requirements, he or she will determine whether Precision Care’s privacy policies and procedures were violated. If policies and procedures have been violated, Precision Care will initiate disciplinary procedures set forth in Section 1.6.
• Upon completion of step 4, the Privacy Officer will contact the person submitting the complaint and notify him or her of the actions that will be taken to address the complaint.
• Evaluations of complaints should generally be completed within 30 days of receipt.
• The receipt of the complaint and the final disposition should be documented using the procedures established in Section 1.27.
1.27.3 Documentation of Complaints
Procedure
The Privacy Officer will establish and maintain files containing documentation of all complaints received. This documentation will include the actions taken to address or resolve the complaint, including any written correspondence with the person submitting the complaint.
1.28 Mitigation
Policy
It is the policy of Precision Care to mitigate (to the extent possible) any harmful effects resulting from the use or disclosure of PHI in violation of Precision Care policies and procedures, or the requirements of federal or state law.
Procedure
Whenever the Privacy Officer determines that a use or disclosure of PHI has violated the policies and procedures established by this manual, or the requirements of federal or state law, the matter will be referred to Precision Care’s legal counsel to:
• Determine any action needed to mitigate any harm that may result to the patient whose information was used or disclosed
• Evaluate the practice’s legal exposure and recommend a course of action Follow up with the patient
All communications with the patient concerning use or disclosure of PHI that legal counsel determines may violate federal or state standards and legal requirements should be handled by Precision Care’s legal counsel.
1.29 Nonretaliation and Protection for Whistleblowers
Policy
It is the policy of Precision Care that no retaliatory action will be taken against patients, staff, or any others that bring to the organization’s attention a potential privacy violation.
Procedure
As an organization, Precision Care does not partake in any type of intimidation, threats, coercion, discrimination, or other retaliatory action against any persons that bring to the attention of Precision Care or the HHS Office of Civil Rights potential problems with our privacy practices. Any issues brought directly to the Privacy Officer will be investigated, and appropriate sanctions will be applied in the event that an issue is found.
[1] For the purposes of these policies and procedures, the terms “employees,” “staff,” “staff members,” and “workforce” may be used interchangeably to refer to Precision Care employees and non-employee members of Precision Care’s workforce, except if otherwise noted.